Skillset

DMVPN (dynamic multipoint virtual private network) is a design approach that allows full mesh connectivity with the use of multipoint GRE tunnels. DMVPN itself is not a protocol but rather it is a design approach that consists of the following technologies:

NHRP (next-hop resolution protocol)

mGRE(multipoint GRE)

Routing protocol

IP sec encryption (optional)

Most of these technologies are familiar to networking professionals, except for the NHRP protocol. NHRP is a resolution protocol that behaves like ARP. In an NHRP environment, there are two roles, the NHS (next-hop server) and the NHC (next-hop client). The NHCs register themselves with the NHS and provide information, such as their logical VPN IP addresses and the physical NBMA mapping. The NHCs also request information from the NHS about how to reach the other NHCs by learning the logical IP to NBMA mapping information. NHRP was used before in the legacy overlay VPN environment particularly in building frame-relay SVCs (switched virtual circuits). Today the protocol is used in the DMVPN environment as well using the same behavior.

DMVPN is typically deployed using MPLS and Internet services because DMVPN has the capability to build dynamic tunnels to other spokes or branches without going through the hub site. This makes efficient use of the full mesh topologies mentioned above. If DMVPN is deployed using the Internet, the hub router requires a static public IP address as this will be configured in the NHC routers as the NHS IP address. The spokes don’t require a static public IP address as a tunnel source because they will report their physical IP to logical mappings to the NHS or the hub. In an MPLS environment, using the IP address of the Loopback is an acceptable design. DMVPN provides zero-touch configuration on the hub router if a new spoke is added.

DMVPN has so far three phases of evolution: Phase 1 had only hub-and-spoke, in Phase 2 direct spoke-to-spoke capability for DMVPN was added, and Phase 3 has features that help a hierarchical DMVPN design scale better through the use of NHRP Shortcut and other enhancements. Our lab will focus on more on Phase 2.

In this GNS3 Lab, we will have the following tasks below. Verification will be done for each of the steps.

Configure DMVPN on the hub router R1.

Configure spokes R2, R3 and R4.

Configure EIGRP as the routing protocol and enable spoke-to-spoke tunnels. Add Loopback10 to each of the routers and announce it in EIGRP.

Configure encryption.

Below are the physical and logical diagrams.

Figure 1. Network Topology

Figure 2. DMVPN Topology

Task 1: Configure DMVPN on the Hub Router R1

The MPLS router in the GNS3 topology has already been pre-configured to peer with all the routers using BGP. The routers in this topology are already announcing their Loopback0s through BGP. Before proceeding with the configuration, let’s check if we can see the loopback IP addresses of all the routers from R1.

ip nhrp map multicast dynamic: Normally this is configured in the hub routers to allow NHRP to automatically add routers to the multicast NHRP mappings so a static mapping is not required any more for each of the spokes. This command also enables routing protocols to work over the mGRE.

ip nhrp authentication <string>: This is an optional command. All the routers with NHRP within the same DMVPN network must have the same string or password.

ip nhrp network-id <number>: This is a required command to start NHRP. All routers in the same NHRP network should have the same network-id. This can also be used along with the “tunnel key” command to segregate different DMVPN networks using the same interface/ IP address as the tunnel source.

tunnel source Loopback0: This is the “physical” or real IP address which the tunnel should be sourced from. In the typical GRE configuration, a tunnel destination is required, but in DMVPN the tunnel destination is resolved through NHRP.

tunnel key <number>” Like “ip nhrp network-id,” this allows separation of DMVPN networks using the same interface/ IP address as the source of the tunnel. This was mandatory in the previous IOS versions but, for the most recent ones, the DMVPN tunnel can come up without this command.

Task 2: Configure Spokes R2, R3 and R4

Let’s proceed to configure DMVPN on the spokes and explain each command later. The spokes will have a different command set than that of the hub.

ip nhrp map multicast <1.1.1.1>: To put it simply, this command adds the NBMA address, in our case the loopback address of R1, to be a recipient of multicast/broadcast traffic coming from this spoke. The source IP address of the hub router’s DMVPN tunnel is configured as well as the other hub IP address if the design should go for multiple hubs.

ip nhrp map <10.1.1.1> <1.1.1.1>: To put it simply, this command states that 1.1.1.1 is the NBMA or real IP address of R1’s tunnel IP address of 10.1.1.1.

ip nhrp nhs <10.1.1.1>: This basically tells the router that the NHS is 10.1.1.1. This is the tunnel IP address of the hub router R1 in our example. The router will know who to consult to if it wishes to form a spoke-to-spoke tunnel. Multiple NHS configurations can be made if there are multiple hubs in the DMVPN network.

The rest of the NHRP commands are self-explanatory. The network-id and tunnel key in the spokes should match what is configured in the hub router.

Task 3: Configure EIGRP as the routing protocol and enable spoke-to-spoke tunnels. Add Loopback10 to each of the routers and announce it in EIGRP.

Let’s enable EIGRP and announce the DMVPN network. Any routing protocol can be used, but EIGRP or OSPF are favorable in most designs. One thing to look out for is that for DMVPN spoke-to-spoke to work and bypass the hub, the next-hop IP address of the route should be unchanged, meaning it should not be the IP address of the hub’s tunnel but should be the corresponding spoke tunnel IP address. In OSPF, changing the interface network type to “broadcast” is the solution. EIGRP requires split-horizon to be disabled and next-hop-self on the hub router.

We will now test if spoke-to-spoke is possible. Let’s trace from R2 to R4. Take note that in some cases the trace will go to R1 for the initial traffic. The succeeding packets will go directly to R4. The reason for this is that. when the initial traffic is sent, R2 is still in the process of getting information about how to reach R4 directly through NHRP.

The traceroute above shows that the path taken was directly to the tunnel IP address of R4. The “show ip nhrp” command showed as well that the R2 built a direct spoke-to-spoke to R4 and traffic did not pass through R1.

Task 4: Configure Encryption

A good network design includes a way to secure traffic. This is a must, given that DMVPN is deployed into shared topologies like internet and MPLS. Let’s proceed to configure IP sec encryption. We will begin with configuration of the IP sec policy, SA, and profiles.

Peterson Amar is an experienced network engineer in the banking environment. He is CCIE R&S #41260, CCNA-Voice, ITIL and Juniper certified professional. He is the author of ciscodreamer.blogspot.com and currently preparing for his 2nd CCIE. His profile can be found at http://www.linkedin.com/in/petersonamar.

After making those changes I have all GRE Tunnels up and I am now able to route from spoke to spoke to any router on the topology.

wdpless

The network statements on routers 2,3, and 4 need to have the 10.1.1.0 0.0.0.255 network advertised. This formed the neighbor adjacency immediately for me.

UNEXPLAINED

What is the routing config for the middle MPLS router? Is EIGRP already configured on it? How can EIGRP be the routing protocol for the VPN without it being on the MPLS router? I would love to see the BGP config for the MPLS router as well.

Garrett

Thank you so much for the help! One of the best DMVPN guideline configs out there!
For the MPLS router config, I just used a standard BGP config without loopbacks, be sure to advertise each interfaces network on each router hanging off the MPLS.

I also found that you do have to use loopbacks when configuring EIGRP for routing your tunnel’s network, using the same interface IP addresses you used for BGP messes it up. (Frans config might have helped but I didnt see it right away) Also remember to swap out the source tunnel interfaces and your tunnel mapping with your new BGP interfaces that messed me up for awhile.

Thanks again!

http://ciscodreamer.blogspot.com Peterson

UNEXPLAINED, the middle MPLS router is only peering with the DMVPN routers using BGP. The DMVPN routers are announcing their Loopbacks to BGP.

James Westfall

A few points need to be fixed.

The “network 10.1.1.0 0.0.0.255” command must be configured under eigrp process 100 on all routers(except SP router) which is essential to form the neighbor relationships with others.

IPsec profile, DMVPN also must be applied on R3 Tunnel interface.

James Westfall

There’s no MPLS configurations here. The author just wants to illustrate that SP network is a MPLS network.

admin

Sorry about that…it was an error in the link. Try clicking the link again and you should be able to get the GNS3 files now.

James Wesfall

Hi, sorry. The second comment was my reply to Peterson. Thanks for fixing this.

cedric

This tuto is awesome, was able to do it in GNS3 with OSPF. A copy/past of the config with few changes like IOS and the interfaces. To use OSPF, setup in the tunnel 100 of R1 : ip ospf network broadcast + ip ospf priority 255 and on other tunnel R2,R3,R4 : ip ospf network non-brodcast + ip ospf priority 0
And confirm, need to add the local network of tunnel IP (10.1.1.x), to do the neigh adjacency. I guess same for EIGRP, was missing in the text above
Nice Saturday morning, studying DMVPN, and understand it very well.
Thanks a lot !!

chris

Not able to form neighbors in this lab; any suggestions; sh ip eigrp nei doesnt show any adjacencies

About Intense

Intense School has been providing accelerated IT training and certification for over 12 years to more than 45,000 IT and Information Security professionals worldwide. Come see why we have the highest pass rates in the industry!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

How will you fund your training?

Why Take This Training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam